The Microsoft security hole at the heart of Russian election hacking

We’re reliving the Visual Basic-spawned bad times of 1999.

Russian hacking of the 2016 election went deeper than breaking into the Democratic National Committee and the Clinton campaign — the Russians also hacked their way into getting information about election-related hardware and software shortly before voting began.

The Intercept published a top-secret National Security Agency document that shows exactly how the Russians did their dirty work in targeting election hardware and software. At the heart of the hack is a giant Microsoft security hole that has been around since before 2000 and still hasn’t been closed. And likely never will.

Before we get to the security hole, here’s a little background about how the Russian scheme worked, spelled out in detail by the secret NSA document. Allegedly, Russia’s military intelligence agency, the GRU, launched a spearphishing campaign against a U.S. company that develops U.S. election systems. (The Intercept notes that the company was likely “VR Systems, a Florida-based vendor of electronic voting services and equipment whose products are used in eight states.”) Fake Google Alert emails were sent from noreplyautomaticservice@gmail.com to seven of the company’s employees. The employees were told they needed to immediately log into a Google website. The site was fake; when at least one employee logged in, his credentials were stolen.

Using those credentials, the GRU hacked into the election company, the NSA found, and stole documents for a second, far more dangerous spearphishing attack. In this second attack, launched either on Oct. 31 or Nov. 1, 2016, spearphishing emails were sent to 122 email addresses “associated with named local government organizations,” which probably belonged to officials “involved in the management of voter registration systems.” In other words, the Russians targeted people who maintain voter registration rolls.

Here’s where the Microsoft security hole comes in. Attached to those emails were Microsoft Word documents that the emails claimed were documentation for VR Systems’ EViD voter database product line. In fact, though, they were “trojanized Microsoft Word documents … containing a malicious Visual Basic script that spawns PowerShell and uses it to execute a series of commands to retrieve and then run an unknown payload from malicious infrastructure. … The unknown payload very likely installs a second payload which can then be used to establish persistent access to survey the victim for items of interest to threat actors.”

In plain English, the Word document opened a back door into the victims’ computers, allowing the Russians to install any malware they wanted and get virtually any piece of information to which the victims had access.

It’s not clear what election information the Russians were able to gather or how they might have used it. But by using the Microsoft security hole, they were potentially able to get very close to states’ election hardware and software, and possibly voter rolls as well.